Google isn’t fixing a serious Android security flaw for months

Google acknowledged that there’s a serious security flaw in Android that would allow attackers to target unsuspecting users with malicious software, but it’s only be fixed in the next major release of Android.

Found by CheckPoint, the flaw takes advantage of the way Android works to expose users to certain types of malware attacks, including “ransomware, banking malware and adware.”

Google already confirmed to the security company that the issue is already being dealt with in Android O. That’s good but also bad news. Not all Android devices that might be susceptible to such attacks will be upgradeable to Android O, and even if they are, these upgrades never arrive in a timely manner.

However, the flaw exposed by CheckPoint only works with the apps installed directly from the Google Play store. That means hackers must find a way to bypass Google’s Play store anti-malware security before taking advantage of the flaw.

Starting with Android 6.0 Marshmallow, Google made changes to the way app permissions work, dividing the permissions that apps require in various categories. Some of them are labeled as “dangerous,” and they’re granted only during runtime. Users then have to approve these permissions the first time a dangerous resource is required.

CheckPoint explains there’s also a permissions category that contains only one permission called SYSTEM_ALERT_WINDOW, which the user needs to manually grant it — or at least that’s how it was supposed to work. The permission would let an app display over any other app without notifying the user. But Google soon realized that some apps will need such a functionality enabled after being installed, such as Facebook’s Messenger chat heads feature. So Google made it so that the SYSTEM_ALERT_WINDOW permission is enabled by default on apps that come from the Play store.

Here lies the problem:

This entails a significant potential for several malicious techniques, such as displaying fraudulent ads, phishing scams, click-jacking, and overlay windows, which are common with banking Trojans. It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices.

CheckPoint says that 74% of ransomware, 57% of adware, and 14% of banker malware abuses the feature. “This is clearly not a minor threat, but an actual tactic used in the wild,” the company explains.

In Android O, Google will block apps from abusing the permission by adding a new restrictive permission that will prevent any app from being position on top of any critical system windows.